Bitwarden CLI Npm Package Backdoored for 90 Minutes as Shai-Hulud Worm Resurfaces Through Checkmarx Breach
A malicious build of @bitwarden/cli@2026.4.0 was live on npm for roughly 93 minutes on April 22 after attackers used credentials stolen from Checkmarx to push a self-propagating worm that harvests cloud, Git, and AI tooling credentials.
Overview
A malicious version of the Bitwarden command-line interface was published to npm on April 22, 2026, and remained live long enough to install on hundreds of developer and CI machines before maintainers pulled it down. According to BleepingComputer, the tampered build of @bitwarden/cli@2026.4.0 was distributed between 5:57 PM and 7:30 PM ET — a window of roughly 93 minutes — during which it harvested npm, GitHub, SSH, and major-cloud credentials from any environment that ran npm install.
The compromise was not a break of the Bitwarden vault itself. The password manager’s stored credentials, production systems, and end-user data were not accessed, the company said. What was hit was the distribution pipeline that ships the open-source CLI client through npm — the same class of attack that has dominated software-supply-chain incidents over the past year.
The intrusion has been traced back to the recent breach of Checkmarx’s GitHub Actions infrastructure, and the payload itself carries the calling card of a familiar campaign: the string “Shai-Hulud: The Third Coming.”
How the Package Got Tampered
Bitwarden CLI is a developer tool used to script vault access in CI pipelines, secrets brokers, and command-line workflows. According to SecurityWeek, the package has more than 250,000 monthly downloads, and version 2026.4.0 was published with an altered execution path that ran a malicious loader, downloaded a Bun JavaScript runtime archive from GitHub, extracted it, and executed an obfuscated payload.
BleepingComputer reports that attackers reached the package by injecting malicious code through a compromised GitHub Action in Bitwarden’s CI/CD pipeline. A custom loader file, bw_setup.js, fetched the Bun runtime and then ran an obfuscated payload, bw1.js, that did the actual credential collection. Exfiltrated data was AES-256-GCM encrypted before being pushed out through public GitHub repositories created on victim accounts.
The entry point was not Bitwarden’s own infrastructure. According to SecurityWeek, the malicious build was the downstream consequence of an earlier compromise of Checkmarx’s public DockerHub KICS image, the ast-github-action repository, the company’s VS Code extension, and its Developer Assist extension. A GitHub Action drawn from that compromised supply chain ran inside Bitwarden’s release workflow and was used to push the tampered npm artifact, with The Hacker News noting that the trojanized ast-github-action was specifically among the artifacts that propagated downstream.
BleepingComputer notes that the malware shared infrastructure with the Checkmarx payload, including the same audit.checkmarx[.]cx/v1/telemetry endpoint and identical obfuscation routines — strong evidence that the two intrusions are part of a single coordinated operation.
What the Worm Steals
The payload is built around credential capture. According to BleepingComputer, it collects npm tokens, GitHub authentication tokens, SSH keys, and AWS, Azure, and Google Cloud credentials from the host. SecurityWeek adds that the theft framework also goes after shell history, AI tooling configuration, and files associated with the Model Context Protocol — the configuration surface used by an emerging class of agentic developer assistants. GitHub tokens that the worm finds are not simply exfiltrated; they are weaponized to create attacker-controlled repositories and pull additional secrets from CI/CD systems, SecurityWeek reports.
The exfiltration channel itself is unusual. Encrypted results are written to commit blobs in repositories the worm creates on victim accounts, with a fallback HTTPS post to the same Checkmarx-themed dead-drop domain used by the upstream campaign, according to BleepingComputer. The implication for incident responders is that stolen secrets can sit in repositories the victim themselves owns until they are noticed.
The Shai-Hulud Branding
The most striking forensic detail is the string the malware leaves behind on the repositories it creates. According to SecurityWeek, the payload includes the marker “Shai-Hulud: The Third Coming” — the same Dune-themed branding used in two earlier waves of npm-targeting worms that compromised more than 180 packages in a September incident and over 640 packages in November.
BleepingComputer reports that the operation is being attributed to TeamPCP, the same threat actor behind the broader Checkmarx breach, and writes that the group “previously targeted developer packages in the massive Trivy and LiteLLM supply chain attacks.” The Hacker News corroborates the TeamPCP-Checkmarx link. The Machine Herald previously reported on the LiteLLM intrusion, in which TeamPCP used credentials harvested from the Trivy compromise to backdoor two PyPI versions of an AI proxy library used in an estimated 500,000 cloud environments. The Bitwarden incident is the same playbook applied to a higher-trust target: a security tool published by a security vendor.
Bitwarden’s Response and What End Users Should Know
Bitwarden has been clear that the vault product is not implicated. The company’s official statement, summarized by BleepingComputer and SecurityWeek, said its investigation found no evidence that end-user vault data was accessed or at risk, and no evidence that production data or production systems were compromised. The company revoked the compromised credentials and deprecated the malicious 2026.4.0 release on npm, BleepingComputer reports.
The population at risk is narrow but specific: developers, CI runners, and automation accounts that ran npm install -g @bitwarden/cli or pulled the package as a transitive dependency during the 93-minute window on April 22. BleepingComputer advises anyone in that group to treat the affected systems as compromised and rotate exposed secrets — particularly CI/CD pipeline credentials, GitHub tokens, npm tokens, SSH keys, and cloud provider access keys.
What We Don’t Know
The incident is still being analyzed by JFrog, Socket, and OX Security, the three vendors named by SecurityWeek as providing the technical breakdown. Several questions remain open in those public writeups.
The exact number of installations during the 93-minute window has not been disclosed by Bitwarden or by npm, only the fact that the package is a high-traffic one with more than 250,000 monthly downloads, according to SecurityWeek. It is also not yet public how many additional npm packages were poisoned through the worm’s self-propagation features after stolen tokens were used to republish other maintainer packages, or how far the cascade reached before being contained. Attribution to TeamPCP rests on payload reuse and shared infrastructure with the Checkmarx campaign, as reported by BleepingComputer and The Hacker News; no formal indictment or government-backed attribution has been published.
Why This Matters
The Bitwarden incident continues a pattern that has defined recent supply-chain coverage at The Machine Herald: the highest-trust developer infrastructure — security scanners, AI proxies, password manager CLIs — is being used as a delivery vehicle for credential-stealing worms that then jump laterally through whatever package ecosystem the victim controls. The Checkmarx-to-Bitwarden chain shows the model in compressed form: a single compromised CI dependency at one vendor became a publishing pipeline into another vendor’s release within weeks.
For developers, the practical lesson from BleepingComputer’s and SecurityWeek’s reporting is unchanged from prior incidents: pin npm versions, audit transitive Action dependencies, and assume that any system that ran a brand-new release of a popular package within a small time window may have executed adversary code with the privileges of its own service account.